- (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]

   [platform.c platform.h sshd.c openbsd-compat/Makefile.in]
   [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
   [openbsd-compat/port-solaris.h] Add support for Solaris process
   contracts, enabled with --use-solaris-contracts. Patch from Chad
   Mynhier, tweaked by dtucker@ and myself; ok dtucker@

4 files changed, 223 insertions, 5 deletions

diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 67e521bfe..9f06605d7 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.39 2006/04/22 11:26:08 djm Exp $
+# $Id: Makefile.in,v 1.40 2006/08/30 17:24:41 djm Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgroupl
 
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
-PORTS=port-irix.o port-linux.o port-aix.o port-uw.o port-tun.o
+PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 
 .c.o:
         $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 18249d81e..278ac71d9 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.40 2006/07/12 13:10:34 dtucker Exp $ */
+/* $Id: openbsd-compat.h,v 1.41 2006/08/30 17:24:42 djm Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -190,10 +190,12 @@ char *shadow_pw(struct passwd *pw);
 /* Routines for a single OS platform */
 #include "bsd-cray.h"
 #include "bsd-cygwin_util.h"
+
+#include "port-aix.h"
 #include "port-irix.h"
 #include "port-linux.h"
-#include "port-aix.h"
-#include "port-uw.h"
+#include "port-solaris.h"
 #include "port-tun.h"
+#include "port-uw.h"
 
 #endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
new file mode 100644
index 000000000..f31f0c6ea
--- /dev/null
+++ b/openbsd-compat/port-solaris.c
@@ -0,0 +1,189 @@
+/* $Id: port-solaris.c,v 1.1 2006/08/30 17:24:42 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Chad Mynhier.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "config.h"
+#include "includes.h"
+
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+
+#include <errno.h>
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+#include <string.h>
+#include <unistd.h>
+
+#include <libcontract.h>
+#include <sys/contract/process.h>
+#include <sys/ctfs.h>
+
+#include "log.h"
+
+#define CT_TEMPLATE     CTFS_ROOT "/process/template"
+#define CT_LATEST       CTFS_ROOT "/process/latest"
+
+static int tmpl_fd = -1;
+
+/* Lookup the latest process contract */
+static ctid_t
+get_active_process_contract_id(void)
+{
+        int stat_fd;
+        ctid_t ctid = -1;
+        ct_stathdl_t stathdl;
+
+        if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
+                error("%s: Error opening 'latest' process "
+                    "contract: %s", __func__, strerror(errno));
+                return -1;
+        }
+        if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
+                error("%s: Error reading process contract "
+                    "status: %s", __func__, strerror(errno));
+                goto out;
+        }
+        if ((ctid = ct_status_get_id(stathdl)) < 0) {
+                error("%s: Error getting process contract id: %s",
+                    __func__, strerror(errno));
+                goto out;
+        }
+
+        ct_status_free(stathdl);
+ out:
+        close(stat_fd);
+        return ctid;
+}
+
+void
+solaris_contract_pre_fork(void)
+{
+        if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
+                error("%s: open %s: %s", __func__,
+                    CT_TEMPLATE, strerror(errno));
+                return;
+        }
+
+        debug2("%s: setting up process contract template on fd %d",
+            __func__, tmpl_fd);
+
+        /* We have to set certain attributes before activating the template */
+        if (ct_pr_tmpl_set_fatal(tmpl_fd,
+            CT_PR_EV_HWERR|CT_PR_EV_SIGNAL|CT_PR_EV_CORE) != 0) {
+                error("%s: Error setting process contract template "
+                    "fatal events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_tmpl_set_critical(tmpl_fd, CT_PR_EV_HWERR) != 0) {
+                error("%s: Error setting process contract template "
+                    "critical events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+
+        /* Now make this the active template for this process. */
+        if (ct_tmpl_activate(tmpl_fd) != 0) {
+                error("%s: Error activating process contract "
+                    "template: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        return;
+
+ fail:
+        if (tmpl_fd != -1) {
+                close(tmpl_fd);
+                tmpl_fd = -1;
+        }
+}
+
+void
+solaris_contract_post_fork_child()
+{
+        debug2("%s: clearing process contract template on fd %d",
+            __func__, tmpl_fd);
+
+        /* Clear the active template. */
+        if (ct_tmpl_clear(tmpl_fd) != 0)
+                error("%s: Error clearing active process contract "
+                    "template: %s", __func__, strerror(errno));
+
+        close(tmpl_fd);
+        tmpl_fd = -1;
+}
+
+void
+solaris_contract_post_fork_parent(pid_t pid)
+{
+        ctid_t ctid;
+        char ctl_path[256];
+        int r, ctl_fd = -1, stat_fd = -1;
+
+        debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
+
+        if (tmpl_fd == -1)
+                return;
+
+        /* First clear the active template. */
+        if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
+                error("%s: Error clearing active process contract "
+                    "template: %s", __func__, strerror(errno));
+
+        close(tmpl_fd);
+        tmpl_fd = -1;
+
+        /*
+         * If either the fork didn't succeed (pid < 0), or clearing
+         * th active contract failed (r != 0), then we have nothing
+         * more do.
+         */
+        if (r != 0 || pid <= 0)
+                return;
+
+        /* Now lookup and abandon the contract we've created. */
+        ctid = get_active_process_contract_id();
+
+        debug2("%s: abandoning contract id %ld", __func__, ctid);
+
+        snprintf(ctl_path, sizeof(ctl_path),
+            CTFS_ROOT "/process/%ld/ctl", ctid);
+        if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
+                error("%s: Error opening process contract "
+                    "ctl file: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_ctl_abandon(ctl_fd) < 0) {
+                error("%s: Error abandoning process contract: %s",
+                    __func__, strerror(errno));
+                goto fail;
+        }
+        close(ctl_fd);
+        return;
+
+ fail:
+        if (tmpl_fd != -1) {
+                close(tmpl_fd);
+                tmpl_fd = -1;
+        }
+        if (stat_fd != -1)
+                close(stat_fd);
+        if (ctl_fd != -1)
+                close(ctl_fd);
+}
+#endif
diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h
new file mode 100644
index 000000000..4c324871e
--- /dev/null
+++ b/openbsd-compat/port-solaris.h
@@ -0,0 +1,27 @@
+/* $Id: port-solaris.h,v 1.1 2006/08/30 17:24:42 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Chad Mynhier.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _PORT_SOLARIS_H
+
+#include <sys/types.h>
+
+void solaris_contract_pre_fork(void);
+void solaris_contract_post_fork_child(void);
+void solaris_contract_post_fork_parent(pid_t pid);
+
+#endif